Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide soon. The Changelog is: - Fix strict aliasing compiler warnings - Interpret TTY audit data in auparse (Miloslav Trmač) - Extract terminal from USER_AVC events for ausearch/report (Peng Haitao) - Makefile cleanup (Philipp Hahn) - Add USER_AVCs to aureport's avc reporting (Peng Haitao) - Get auparse test suites working better - When apps started by audispd die, restart them if their type is always - Short circuit hostname resolution in libaudit if host is empty - Remove selinux policy for zos-remote - Update libauparse capabilities table - If log_group and user are not root, don't check dispatcher perms - Fix a bug when executing "ausearch -te today PM" - Add --exit search option to ausearch - Delete root user tests in auparse/test dir - Improve performance of ausearch/report and drop dead code - More code cleanups - Fix parsing config file when kerberos is disabled - Add new kernel capability event record types This release fixes a bunch of little bugs in the Makefile, test suites, and programs. A couple bug fixes to call out are, when you use log_group as non-root user, it tried to open and fstat the event dispatcher, but if you are non root, that is usually EPERM and if you have audit rules for EPERM, you create audit events everytime you use ausearch. When GSSAPI support was disabled, it was not able to parse the given config file, so that was fixed to parse but ignore the settings. The performance of ausearch/report should be better now. I think my testing showed about 5%-10% improvement. This needs careful testing, though. And lastly, I added a new option to ausearch to look for exit codes. If for example, you needed to find any syscall with EPERM exit, you can now do "ausearch --start today --exit -EPERM". Please let me know if you run across any problems with this release. -Steve